Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uaHT4-0038qw-Fl for pgsql-general@arkaria.postgresql.org; Fri, 11 Jul 2025 17:23:26 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1uaHT0-006Xnj-8h for pgsql-general@arkaria.postgresql.org; Fri, 11 Jul 2025 17:23:22 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uaHSz-006Xna-9Q for pgsql-general@lists.postgresql.org; Fri, 11 Jul 2025 17:23:22 +0000 Received: from fout-a1-smtp.messagingengine.com ([103.168.172.144]) by makus.postgresql.org with smtp (Exim 4.96) (envelope-from ) id 1uaHSx-006nUD-2I for pgsql-general@lists.postgresql.org; Fri, 11 Jul 2025 17:23:20 +0000 Received: from phl-compute-12.internal (phl-compute-12.phl.internal [10.202.2.52]) by mailfout.phl.internal (Postfix) with ESMTP id B6A1CEC01A8; Fri, 11 Jul 2025 13:23:18 -0400 (EDT) Received: from phl-mailfrontend-02 ([10.202.2.163]) by phl-compute-12.internal (MEProxy); Fri, 11 Jul 2025 13:23:18 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aklaver.com; h= cc:content-transfer-encoding:content-type:content-type:date:date :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm1; t=1752254598; x=1752340998; bh=Vdbg1j7LMIpFpRZKycqI8v00rjHmvYNIhHLwsXdZZvM=; b= iJ7yFUIgz3MX/lvy5FvNq+tTnCwyKUVbwZvG+5s65JVlqXFB9TyLToFIidUpL0Be ltfiivAeBoGThyKr7FV8R/5V5CfkKXH1TAHIyp0Yoqpl7P6sAXDF5us8LErPiP1B bmimLwE+Ih2ukBgcsQr8Acc7TkwaJ5K2pB+rXFhYog8XWZMvEJVOpOSvZ3JU95Uk SAnQYtMse53+qOFTR/6lto8sxC64kYjdVJ9h3zlKsTsST8iFtuTIQYPxMefaJPfO 4LS+xqgMA7FKcMRLE8aOb20DJ/4a592qHSeNeGpMV66pfmDChZZkYEGVUyciN7Xu Ru7l3fDMTNUA+Oihhtspgw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; t=1752254598; x=1752340998; bh=V dbg1j7LMIpFpRZKycqI8v00rjHmvYNIhHLwsXdZZvM=; b=mlfzcWUy/8RpwjVqe I9xYPBHQXkdyhJ1eriq+FGJjt2M73KIdNM+oB9JgoiOaNxz2fEsOqE3hpNLsL0Xg yINOZVUOHiBlVHfAVfznDSD6lU7YvWjrCTKVGhoV2b3Cb1le4GNYDTGXIa9Zconj oeY1uXtghznnKgkgILRfnlvYVm6uXKSiYGTUc4O+MV3lstFD8QjxK7n9bl4Tvl5Q jtj24t0RLklRf2qvLkGybB0YeVig7bOxnd5HvbNVrdeGI3D8bvvv345O8v997wwZ 9XDwXjZYkXFjXy18WclylzvRfHQZQYk7spVRhm4IDmM1twLHlljaWaXgKEBMHE9e 8bNPg== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdefgdegfeeludcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpuffrtefokffrpgfnqfghnecuuegr ihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjug hrpefkffggfgfuvfhfhfgjtgfgsehtkeertddtvdejnecuhfhrohhmpeetughrihgrnhcu mfhlrghvvghruceorggurhhirghnrdhklhgrvhgvrhesrghklhgrvhgvrhdrtghomheqne cuggftrfgrthhtvghrnhepffelgeeifefgveduhedthfekuedtffejveegffegjeevtdeh gfduieetfeehjeehnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilh hfrhhomheprggurhhirghnrdhklhgrvhgvrhesrghklhgrvhgvrhdrtghomhdpnhgspghr tghpthhtohepvddpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepvggumhhunhguoh esshifqdgrrhhgohhsrdgtohhmpdhrtghpthhtohepphhgshhqlhdqghgvnhgvrhgrlhes lhhishhtshdrphhoshhtghhrvghsqhhlrdhorhhg X-ME-Proxy: Feedback-ID: i76984098:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri, 11 Jul 2025 13:23:17 -0400 (EDT) Message-ID: <91df04dd-04fc-420d-821c-ffd3786a1c68@aklaver.com> Date: Fri, 11 Jul 2025 10:23:15 -0700 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: I have a suspicious query To: Edmundo Robles , pgsql-general@lists.postgresql.org References: Content-Language: en-US From: Adrian Klaver In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 7/11/25 10:12 AM, Edmundo Robles wrote: > Hi > > i haveĀ  (PostgreSQL) 13.16 (Debian 13.16-0+deb11u1) > While monitoring active queries, I came across the following: > > `DROP TABLE IF EXISTS _145e289026a0a2a62de07e49c06d9965; CREATE TABLE > _145e289026a0a2a62de07e49c06d9965(cmd_output text); COPY > _145e289026a0a2a62de07e49c06d9965 FROM PROGRAM 'BASE64 string'` > > The 'BASE64 string' appears to be a shell script that creates hidden > directories, `.xdiag` and `.xperf`, in `/tmp`. > > Could you please help me locate and clean these? I apologize if this is > not the appropriate contact for this issue. Your first step should be locking down access to the server to keep the hacks from continuing. You already seem to know what directories are involved. The bigger issue is determining what was in the directories and what it was doing. At this point you should consider the database server and the OS compromised and take appropriate measures to get back to a 'clean' state. > > Thanks, > Edmundo > > -- > > -- Adrian Klaver adrian.klaver@aklaver.com